CVE-2022-42919 – python: local privilege escalation via the multiprocessing forkserver start method
https://notcve.org/view.php?id=CVE-2022-42919
Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. • https://github.com/python/cpython/compare/v3.10.8...v3.10.9 https://github.com/python/cpython/compare/v3.9.15...v3.9.16 https://github.com/python/cpython/issues/97514 https://github.com/python/cpython/issues/97514#issuecomment-1310277840 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKGCQPIVHEAIJ77R3RSNSQWYBUDVWDKU https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2LHWWEI5OBQ6RELULMVU6KMDYG4WZXH https://lists.fedo • CWE-269: Improper Privilege Management •
CVE-2022-40289 – Stored cross-site scripting in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC via file upload and download functionality.
https://notcve.org/view.php?id=CVE-2022-40289
The application was vulnerable to an authenticated Stored Cross-Site Scripting (XSS) in the upload and download functionality, which could be leveraged to escalate privileges or compromise any accounts they can coerce into observing the targeted files. • https://www.themissinglink.com.au/security-advisories/cve-2022-40289 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-40288 – Stored cross-site scripting in PHP Point of Sale version 19.0, by PHP Point of Sale, LLC via messaging functionality
https://notcve.org/view.php?id=CVE-2022-40288
The application was vulnerable to an authenticated Stored Cross-Site Scripting (XSS) in the user profile data fields, which could be leveraged to escalate privileges within and compromise any account that views their user profile. • https://www.themissinglink.com.au/security-advisories/cve-2022-40288 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-41973 – device-mapper-multipath: multipathd: insecure handling of files in /dev/shm leading to symlink attack
https://notcve.org/view.php?id=CVE-2022-41973
This could be used indirectly for local privilege escalation to root. multipath-tools 0.7.7 hasta 0.9.x anteriores a 0.9.2 permite a los usuarios locales obtener acceso de root, explotado junto con CVE-2022-41974. ... This could be used indirectly for local privilege escalation to root. • http://packetstormsecurity.com/files/169611/Leeloo-Multipath-Authorization-Bypass-Symlink-Attack.html http://packetstormsecurity.com/files/170176/snap-confine-must_mkdir_and_open_with_perms-Race-Condition.html http://seclists.org/fulldisclosure/2022/Dec/4 http://seclists.org/fulldisclosure/2022/Oct/25 http://www.openwall.com/lists/oss-security/2022/10/24/2 http://www.openwall.com/lists/oss-security/2022/11/30/2 https://bugzilla.suse.com/show_bug.cgi?id=1202739 https://github.com/open • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVE-2022-41644 – Delta Industrial Automation InfraSuite Device Master ModifyPrivByID Missing Authentication Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2022-41644
This vulnerability allows remote attackers to escalate privileges or create a denial-of-service condition on affected installations of Delta Industrial Automation InfraSuite Device Master. ... An attacker can leverage this vulnerability to escalate privileges to resources normally protected from the user or to create a denial-of-service condition on system. • https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-07 • CWE-306: Missing Authentication for Critical Function •